北郵國院大三電商在讀，隨課程進(jìn)行整理知識點(diǎn)。僅整理PPT中相對重要的知識點(diǎn)，內(nèi)容駁雜并不做期末突擊復(fù)習(xí)用。個(gè)人認(rèn)為相對不重要的細(xì)小的知識點(diǎn)不列在其中。如有錯(cuò)誤請指出。轉(zhuǎn)載請注明出處，祝您學(xué)習(xí)愉快。

編輯軟件為Effie，如需要pdf/docx/effiesheet/markdown格式的文件請私信聯(lián)系或微信聯(lián)系

Week4

PRC核心法律：Personal Information Protection Law 2021（PIPL）

Why does PIPL matter to business?

Operating within the law! 在法律范圍內(nèi)行動(dòng)

• (GDPR Compliant companies have a head start here!) (符合GDPR標(biāo)準(zhǔn)的公司在這方面已經(jīng)領(lǐng)先一步了!)

Avoiding reputational damage

避免名譽(yù)受損

Penalties: 處罰

• A66: Correction, confiscation of “unlawful income” 糾正、沒收“違法所得”
  • Failure to correct: fine for company of up to RMB 1 million 未改正的:對公司處以最高100萬元的罰款
  • Individuals directly responsible can be fined RMB10k-100k 直接責(zé)任人員可處1 -10萬元罰款
  • In “grave” circumstances – RMB 50 million /5% annual turnover, suspension or termination of business licence 情節(jié)嚴(yán)重的——5000萬元/年?duì)I業(yè)額5%，暫?；蚪K止?fàn)I業(yè)執(zhí)照
  • In “grave” circumstances – individuals can be fined RMB100k- RMB1million 情節(jié)嚴(yán)重的，個(gè)人可被處以10萬元至100萬元的罰款
• A67 – a ‘name and shame’ approach 一種“點(diǎn)名羞辱”的方法
• A69 – where cannot prove lack of liability for infringements: 不能證明無侵權(quán)責(zé)任的;
  • requirements to compensate loss 賠償損失的要求
  • Based on loss to individual and/or unjust enrichment 基于個(gè)人損失和/或不當(dāng)?shù)美?/li>
• A70 – potential prosecution for breach 可能因違規(guī)而被起訴

Oversight Bodies (A60-65) 監(jiān)管機(jī)構(gòu)

At National & Regional Level

在國家和區(qū)域一級

State Cybersecurity & Information Department at top level

最高級別的國家網(wǎng)絡(luò)安全和信息部門

Responsible for:

• Guidance on law & compliance 法律與合規(guī)指導(dǎo)
• Enforcement 執(zhí)行
• Dealing with complaints from individuals 處理個(gè)人投訴
• Creation of clear rules & standards for applying the PIPL 為應(yīng)用PIPL制定明確的規(guī)則和標(biāo)準(zhǔn)
• Support for R&D and adoption of privacy protection tech 支持隱私保護(hù)技術(shù)的研發(fā)和應(yīng)用
• Support for industry certification schemes 支持行業(yè)認(rèn)證計(jì)劃

Scope of the PIPL:

1. Within PRC borders (A3) 在中國境內(nèi)

2. Outside PRC (A3) borders where:

• Purpose is to provide products or service into China 目的是向中國提供產(chǎn)品或服務(wù)
• Analysis / Assessment of Chinese citizens’ activities within PRC (e.g. market research, targeted advertising) 分析/評估中國公民在中國境內(nèi)的活動(dòng)(如市場調(diào)查、定向廣告)

3. “natural persons” (A3)

• Living people
  • (But special arrangements for sensitive handling of the deceased’s information – A49) (但為妥善處理死者資料而作出的特別安排- A49)

4. Personal Information (A4)

• “all kinds of information recorded by electronic or other means” “以電子或其他方式記錄的各種資料”
  • “related to identified or identifiable natural persons…” “與已識別或可識別的自然人有關(guān)……”

5. “identified or identifiable natural persons…” “已識別或可識別的自然人……”

• Identifying from the information 從信息中識別
• Identifying from that information plus other information 通過這些信息加上其他信息進(jìn)行識別

6. Exceptions?

• “…not including information after anonymization handling.” “……不包括匿名處理后的信息?！?
  • De-identification (the information alone) (A73) 去識別化(信息本身)
  • Anonymisation (impossible to id and restore) (A73) 匿名化(無法識別和恢復(fù))
• The Profiling problem… 分析問題
  • If in doubt, treat as personal information 如有疑問，視為個(gè)人信息

7. Sensitive Personal Information (A28)

• “…once leaked or illegally used, may easily cause harm to…” “……一旦泄露或非法使用，很容易對……造成傷害?！?
  • personal dignity / privacy 個(gè)人尊嚴(yán)/隱私
  • Serious harm to personal or property security (e.g. use for fraud) 嚴(yán)重危害人身或財(cái)產(chǎn)安全(例如用于詐騙)
  • Includes:
    • Biometrics, religious belief, health records, finances, location tracking… 生物特征，宗教信仰，健康記錄，財(cái)務(wù)狀況，位置追蹤
    • Personal information of minors under 14 years of age 14周歲以下未成年人的個(gè)人信息
    • Non-exhaustive list 非詳盡無遺的清單

8. Additional safeguards; Necessity.

Who has responsibilities?

Public & Private Sector application

公共及私營部門應(yīng)用

Personal Information Handlers

個(gè)人信息處理者

• Organisations/ Individuals who “autonomously decide handling processes” “自主決定處理程序”的機(jī)構(gòu)/個(gè)人
  • Data Controllers 數(shù)據(jù)控制者
  • Also responsible for activities of processors 還負(fù)責(zé)處理器的活動(dòng)
• Any business collecting & using personal information is affected by this law 任何收集、使用個(gè)人信息的企業(yè)均受本法的影響

Key principles affecting businesses

Collection of personal information must be:

收集個(gè)人資料必須符合:

• Legal, necessary & honest 合法，必要和誠實(shí)
• Only collect information necessary for intended use 只收集預(yù)期用途所必需的信息
• Clarity (for data subject) 清晰性(適用于資料當(dāng)事人)

Obligations to ensure:

有義務(wù)確保:

• Data integrity & security 數(shù)據(jù)完整性與安全性
• Treatment and use in line with the law 依法處理和使用

Consent (A13-18) 同意收集數(shù)據(jù)的情況

• Required for collection and use of individual data 收集及使用個(gè)人資料所需
• must be informed 必須通知
• Must be voluntary and explicit 必須是自愿和明確的
• Only applies to purposes for specified which information collected (including entrusting information to sub- contractors) 只適用于收集資料的指定目的(包括將資料委托予分包商)
• May be withdrawn 可以撤回
• If declined, service may only be refused if information is necessary 如果被拒絕，只有在需要提供信息的情況下才可以拒絕服務(wù)
• Exceptions where provided by law, e.g. police investigation 法律規(guī)定的例外情況，例如警方調(diào)查

Compliance 合規(guī)收集的方法

By management and design 通過管理和設(shè)計(jì)

• E.g. website design: 網(wǎng)站設(shè)計(jì)
  • Clear privacy policy with ‘tick box’ (opt-in) type requirement to progress 明確隱私政策，并注明“選擇加入”類型要求
• E.g. recorded message (telephone sign-up) 錄音留言(電話報(bào)名)
• “using clear and easily understood language.” “使用清晰易懂的語言?！?/li>
• Key information must be provided, including: 必須提供關(guān)鍵信息，包括:
  • Name and details of information collector 信息采集器的名稱和詳細(xì)信息
  • Purpose and duration of collection and use 收集和使用的目的和期限
  • Information about exercise of data subject rights 關(guān)于行使數(shù)據(jù)主體權(quán)利的信息
• Children’s consent (A31) 孩子們的同意
  • For U14, Parent or Guardian must consent (Age verification, service limitations) 對于小于14歲的孩子，家長或監(jiān)護(hù)人必須同意(年齡驗(yàn)證，服務(wù)限制)

基于這些合規(guī)收集的方法，consent還需要什么呢

Consent (A13-18): （這里感覺可以接在上一個(gè)Consent下面，但是它在conpliance這個(gè)標(biāo)題下，就放在這里了，也算是一個(gè)對上面的某些點(diǎn)的詳細(xì)解釋）

• Requires careful management: 需要精心管理的:
  • Not to exceed clear purpose for which collected 不得超過收集的明確目的
  • Time limitation – not to be kept longer than needed for that purpose 時(shí)間限制-保存時(shí)間不得超過所需時(shí)間
• Consent can be withdrawn: 可以在下列情況下撤回同意:
  • Need to provide clear information on process 需要提供有關(guān)流程的明確信息
    • E.g account settings on website, dedicated email address, telephone number 例如，在網(wǎng)站上的帳戶設(shè)置，專用電子郵件地址，電話號碼
  • Best practice: regular checks 例如，在網(wǎng)站上的帳戶設(shè)置，專用電子郵件地址，電話號碼
    • E.g requirement to re-confirm consent every few months or after period of non-use of service / not logging in 例如，要求每隔幾個(gè)月或在不使用服務(wù)/不登錄一段時(shí)間后重新確認(rèn)同意
• The business model and ‘necessity’ (incl, onward data sale) 商業(yè)模式和“必要性”(包括后續(xù)數(shù)據(jù)銷售)

Alternative to Consent: Necessity

• Legal compliance 法律合規(guī)
  • E.g. tax laws, criminal investigations 稅法，刑事調(diào)查
  • Fulfilment of contracts 履行合同
    • Payment details, addresses (for distance selling) 付款詳情，地址(用于遠(yuǎn)程銷售)
• Emergencies 緊急事件
  • E.g. health emergency, employee collapse at work 例如，突發(fā)健康事件，員工在工作中昏倒
• Public interest 公共利益
  • Including “news reporting” 包括“新聞報(bào)道”
• Information already put in the public domain 已經(jīng)公開的信息

Further Obligations for Personal Information Handlers 個(gè)人信息處理者的進(jìn)一步義務(wù)

（其他義務(wù)在A50左右，不知道PPT怎么設(shè)計(jì)的，先按PPT的順序來吧）

A22 Mergers, sale, company dissolution, bankruptcy et cetera:

合并、出售、公司解散、破產(chǎn)等等:

• Notification requirements re pi to be transferred 通知要求將被轉(zhuǎn)移
• New holder bound by original conditions absent further consent 未經(jīng)進(jìn)一步同意，新持有人受原有條件約束

A23 transfer of personal information to another 將個(gè)人信息轉(zhuǎn)移給他人

• Only with full, informed & voluntary consent 只有在充分、知情和自愿同意的情況下

Automated decision-making (A24) 自動(dòng)決策

E.g. considering credit card applications

例如，考慮信用卡申請

Must be transparent and fair

必須透明和公平

“unreasonable differential treatment of individuals in trading conditions” forbidden

“個(gè)人在交易條件上的不合理差別待遇”是被禁止的

• E.g. offering different prices on ecommerce site based on profiling of individual 例如，根據(jù)個(gè)人概況在電子商務(wù)網(wǎng)站提供不同的價(jià)格

Must be “convenient method to refuse” targeted advertising / offers

是否有“方便的方法拒絕”定向廣告/優(yōu)惠

Individuals have a right to challenge & refuse automated decision making

個(gè)人有權(quán)質(zhì)疑和拒絕自動(dòng)決策

Additional rights for individuals 個(gè)人的附加權(quán)利

A44-A46: 個(gè)人對信息的控制權(quán)，查閱并獲得副本的權(quán)利和可移植性

Right of control over their information 對其信息的控制權(quán)

• Includes right to limit/refuse (ref: consent) 包括限制/拒絕的權(quán)利(參考:consent部分)

Right of access and to be given a copy 有權(quán)查閱并獲得一份副本

• Exceptions where provided by law 法律規(guī)定的例外情況
• Must be provided “in a timely manner” 必須“及時(shí)”提供

Information portability 信息的可移植性

• PI handler must facilitate transfer, e.g. to new service provider PI處理員必須協(xié)助轉(zhuǎn)移，例如轉(zhuǎn)移到新的服務(wù)提供商

Right to ensure information held about them is accurate 確保所掌握的有關(guān)他們的信息準(zhǔn)確無誤的權(quán)利

• Includes right to have inaccuracy corrected 包括要求更正錯(cuò)誤的權(quán)利

A47：被遺忘權(quán)

“Right to be forgotten”: information deletion “被遺忘權(quán)”:信息刪除

• Where purpose collected for achieved, is impossible, or information no longer necessary 在不可能達(dá)到收集目的，或者不再需要信息的情況下
• Service or product no longer available 服務(wù)或產(chǎn)品不再可用
• Consent withdrawn 同意取消
• Legally required retention period ended 法律規(guī)定的保留期結(jié)束
  • If not ended but consent withdrawn, must cease use and only store & ensure secure (same rule if deletion is “technically hard to realise” 如果沒有終止，但撤回同意，必須停止使用，只存儲和確保安全(如果刪除“技術(shù)上難以實(shí)現(xiàn)”，同樣的規(guī)則)。
• Personal Information handlers found to have breached the rules 被發(fā)現(xiàn)違反規(guī)定的個(gè)人信息處理者

A48-49：要求解釋pi處理規(guī)則的權(quán)利，死后信息處理

Right to request clear explanation of rules on handling of personal information (to ensure legal compliance)

要求明確解釋個(gè)人信息處理規(guī)則的權(quán)利(以確保合法合規(guī))

• Need for clarity: relevant to specific audiences, e.g. Children, visually impaired… 需要清晰:與特定受眾相關(guān)，例如兒童、視障人士……

Posthumous treatment of information 死后信息處理

• PIPL designed to protect living individuals PIPL旨在保護(hù)活著的個(gè)體
• BUT (unless prior arrangements made by individual) rights on death can be exercised by next of kin 但是(除非個(gè)人事先作出安排)死亡的權(quán)利可以由近親行使
  • “for the sake of their own lawful, legitimate interests” “為了他們自己的合法、正當(dāng)利益”
  • E.g. dealing with assets, closing accounts 處理資產(chǎn)，結(jié)帳

Obligations for Personal Information Handlers

A50：機(jī)制和流程

To establish mechanisms & processes to deal with individual requests re data rights

建立處理個(gè)人數(shù)據(jù)權(quán)利要求的機(jī)制和流程

Must provide explanation if refuse a request

如果拒絕請求必須提供解釋

• Individuals entitled to file a lawsuit to challenge such refusal 個(gè)人有權(quán)對這種拒絕提出訴訟

A51-53：數(shù)據(jù)安全要求

Data Security requirements

數(shù)據(jù)安全要求

• Clear information available on how information is stored, potential risks, and protections 明確信息的存儲方式、潛在風(fēng)險(xiǎn)和保護(hù)措施
  • Includes requirements of use of technological protections, regular staff training, clear operational limits [codes of conduct], incident response plans ready in advance 包括使用技術(shù)保護(hù)的要求，定期的員工培訓(xùn)，明確的操作限制[行為準(zhǔn)則]，提前準(zhǔn)備好事件響應(yīng)計(jì)劃
  • Dedicated protection staff (where company dealing with certain quotas set by State Cybersecurity & Informatisation Department) 專門的保護(hù)人員(公司處理國家網(wǎng)絡(luò)安全和信息化部門設(shè)定的特定配額)
  • Contact details for protection staff to be provided (inc specific individuals) 提供保護(hù)人員的聯(lián)絡(luò)資料(包括個(gè)別人士)
  • International companies to whom PIPL applies must appoint rep. in PRC PIPL申請的國際公司必須在中國指定代表
• (Works in tandem with Data Security Law 2021) (與《2021年數(shù)據(jù)安全法》協(xié)同工作)

A54-56：審查合規(guī)與安全、評估影響

Regular review and audits of pi handling & compliance, including security provisions (e.g. encryption up to date)

定期審查和審核pi處理和合規(guī)性，包括安全規(guī)定(例如加密更新)

In some circumstances must be impact assessment before information collected

在某些情況下，在收集信息之前必須進(jìn)行影響評估

• Sensitive pi, automated decision making, using subcontractor, sending pi outside China, or otherwise “major impact” on data subject 敏感pi，自動(dòng)化決策，使用分包商，將pi發(fā)送到中國境外，或?qū)?shù)據(jù)主體有其他“重大影響”

A57：pi泄露的補(bǔ)救，通知要求

Response to data leak Immediate remedial measures (based on existing processes)

對數(shù)據(jù)泄漏的響應(yīng)立即采取補(bǔ)救措施(基于現(xiàn)有流程)

Notification requirements 通知要求

• Government departments dealing with pi protection 處理pi保護(hù)的政府部門
• Must include:
  • Information category, cause, potential harm 信息類別，原因，潛在危害
  • Measures taken to mitigate harm 減輕傷害:為減輕傷害而采取的措施
  • Contact details 聯(lián)系方式
• No need to notify individuals if can be sure harm avoided by action taken 如果采取行動(dòng)可以避免傷害，則無需通知個(gè)人
• If believe harm may have been caused, must notify affected individuals 如果認(rèn)為可能造成傷害，必須通知受影響的個(gè)人

A58：公司

Providers of “important internet platform services. That have a large number of users and whose business models are complex…”

重要互聯(lián)網(wǎng)平臺服務(wù)提供商。那些擁有大量用戶且商業(yè)模式復(fù)雜的公司……”

• E.g. social media; scale/quantity of personal information 社交媒體;個(gè)人信息的規(guī)模/數(shù)量
• Additional requirements 附加要求
  • Oversight bodies “composed mainly of outside members” 監(jiān)督機(jī)構(gòu)“主要由外部成員組成”
  • Public social responsibility reports 公共社會責(zé)任報(bào)告

Working with other companies

A59：第三方

Third party subcontractors processing personal information? must ensure data security

處理個(gè)人信息的第三方分包商?確保數(shù)據(jù)安全

A20: 不止一個(gè)pi handler的情況

Clear agreement required on division of rights and responsibilities

對權(quán)利和責(zé)任的劃分需要明確的協(xié)議

Individuals can still demand action re rights from any one pi handler

個(gè)人仍然可以向任何一個(gè)pi處理程序請求操作權(quán)限

A21: 轉(zhuǎn)包商，次承包商

Subcontractors (A21): 轉(zhuǎn)包商，次承包商

• Can only be done with data subject consent 只能在數(shù)據(jù)主體同意的情況下進(jìn)行
• Must be an agreement setting out key issues, including: 必須是一份列出關(guān)鍵問題的協(xié)議，包括:
  • Time limitations 時(shí)間限制
  • Handling method 處理方法
  • Types of personal information to be collected 收集的個(gè)人信息類型
  • Protection measures 保護(hù)措施
  • Rights and Duties of each side 雙方的權(quán)利和義務(wù)
• Achievable by contractual agreement, binding corporate rules, etc. 雙方的權(quán)利和義務(wù)
• Legal responsibility for oversight remains with the PI handler 監(jiān)督的法律責(zé)任仍然由PI處理人員承擔(dān)

A38: 跨境數(shù)據(jù)轉(zhuǎn)移

Cross-border operations: transferring data out of China for processing and use elsewhere (A38)

跨境業(yè)務(wù):將數(shù)據(jù)轉(zhuǎn)移出中國，在其他地方進(jìn)行處理和使用

• Data localization 數(shù)據(jù)本地化
  • May only export data where “truly necessary” 只可在“真正需要”時(shí)導(dǎo)出數(shù)據(jù)
• Must fulfill one of following: 必須符合下列條件之一:
  • Pass State Cybersecurity & Informatisation Dept security assessment 通過國家網(wǎng)絡(luò)安全和信息化部門的安全評估
  • Certification by a specialised body recognized by C&I Dept 由C&I部認(rèn)可的專業(yè)機(jī)構(gòu)出具的證書
  • Standard contractual terms provided by C&I Dept C&I部提供的標(biāo)準(zhǔn)合同條款
  • Other conditions set out in law / regulation / by C&I Dept 法律/法規(guī)/工傷部規(guī)定的其他條件
• OR - data export to company in country China recognizes law 數(shù)據(jù)出口到中國國家公司承認(rèn)法律
• NB: Exporter liable to ensure compliance 注:出口商有責(zé)任確保符合規(guī)定
• Compliance strategies: 合規(guī)策略:
  • Training 訓(xùn)練
  • Oversight (legal advice) 監(jiān)督(法律意見)
  • Contract: get everything in writing! 合同:一切都要寫下來!
  • Pay close attention to C&I Dept advice 密切關(guān)注C&I部門的建議

A39：跨境數(shù)據(jù)轉(zhuǎn)移必須當(dāng)事人同意

Consent of the data subject is required (A39)

必須取得資料當(dāng)事人的同意

• All standard consent requirements apply (fully informed, et cetera) 適用所有標(biāo)準(zhǔn)同意要求(充分知情，等等)
• All details must be provided to permit full exercise of data subject rights 必須提供所有細(xì)節(jié)，以允許充分行使數(shù)據(jù)主體的權(quán)利

A40：跨境數(shù)據(jù)轉(zhuǎn)移必須在中國存儲信息

“Critical information infrastructure operators and pi handlers [who meet set data quotas]” must store information within PRC (A40)

“關(guān)鍵信息基礎(chǔ)設(shè)施運(yùn)營商和pi處理者(符合設(shè)定的數(shù)據(jù)配額)”必須在中國境內(nèi)存儲信息

• State C&I Dept to oversee 國家C&I部負(fù)責(zé)監(jiān)督
• Unless a standard arrangement in place with destination country, must be specific security assessment 除非與目的地國家有標(biāo)準(zhǔn)安排，否則必須進(jìn)行具體的安全評估

A41; 國家安全問題（只給許可的機(jī)構(gòu)）

National Security issues (A41) 國家安全問題

• Personal information stored in PRC may only be provided to foreign judicial or LEAs where PRC authorities have granted permission 存儲在中國境內(nèi)的個(gè)人信息僅可提供給經(jīng)中國當(dāng)局許可的外國司法機(jī)構(gòu)或許可機(jī)構(gòu)

A42：黑名單

Blacklist Provision (A42) 黑名單的條款

• If foreign organisations or individuals violate PRC law on information protection or harm national security, State C&I Dept can add to list requiring their access to Chinese PI be limited or prohibited 外國組織或個(gè)人違反中華人民共和國信息保護(hù)法或危害國家安全的，國家信息產(chǎn)業(yè)部可列入限制或禁止其訪問中國信息系統(tǒng)的名單

Key practical advice for compliance 合規(guī)的關(guān)鍵實(shí)用建議（暗示是重點(diǎn)部分?。。。?/h2>

1. If in doubt, treat it as personal information

如有疑問，將其視為個(gè)人信息

• The profiling question (especially online) 分析問題(尤其是在線問題)

【猜測會考，或者會涉及有疑問的地方。無腦當(dāng)個(gè)人信息就完了】

2. Informed Consent is King 知情同意為王

• Invest in ensuring consent properly acquired 投資于確保適當(dāng)獲得同意
  • Web design, training of telephone staff 網(wǎng)頁設(shè)計(jì)，電話人員培訓(xùn)
  • Clearly explained privacy policies with appropriate attention drawn 清楚地解釋隱私政策，并引起適當(dāng)?shù)淖⒁?/li>
  • Recording for telephone (or a script) 電話錄音(或腳本錄音)
• Consent trumps necessity! 同意勝過需要!

3. Sensitive Personal Data 敏感個(gè)人資料

• Easier to avoid where possible 盡可能避免
• Extra care, only process where strictly necessary 特別小心，只在絕對必要的情況下處理

4. If children are target market or among it: 如果兒童是目標(biāo)市場或其中之一:

• Remember all U14’s data is sensitive 記住所有 低于14歲的兒童的數(shù)據(jù)是敏感的
  • Parental consent requirements 家長同意要求
  • age verification – citizenship number, credit card… 年齡驗(yàn)證-公民號碼，信用卡…
  • Need extra flagging – website design, telephone procedure. 需要額外標(biāo)記-網(wǎng)站設(shè)計(jì)，電話程序。

5. Consent is an ongoing process, and can be withdrawn 同意是一個(gè)持續(xù)的過程，可以撤銷

• Need for regular dialogue with user (e.g. cooking warnings and regular reminders) 需要與用戶定期對話(例如烹飪警告和定期提醒)

6. Facilitating User rights 便利用戶權(quán)限

• Key contact details available, specialist staff where appropriate 關(guān)鍵聯(lián)系方式可用，專家人員在適當(dāng)情況下
• Proper internal organization & processes 適當(dāng)?shù)膬?nèi)部組織和流程
• Website design and access 網(wǎng)站設(shè)計(jì)與訪問
• Procedure in place for posthumous dealing with data, deletion whenever appropriate 死后處理數(shù)據(jù)的程序，在適當(dāng)?shù)臅r(shí)候刪除

7. Data Security 數(shù)據(jù)安全

• Comply with all guidance per regulatory authorities 遵守監(jiān)管機(jī)構(gòu)的所有指導(dǎo)
• Ensure encryption, firewalls et cetera are kept up to date 確保加密，防火墻等保持最新狀態(tài)
• Procedures in place for handling a data leak should one arise 如果出現(xiàn)數(shù)據(jù)泄漏，處理數(shù)據(jù)泄漏的適當(dāng)程序
• Prevention better than cure! 預(yù)防勝過彌補(bǔ)

8. Working with others

• Individual consent 個(gè)人同意
• The liability rules and importance of trusted partners 可信賴伙伴的責(zé)任規(guī)則及其重要性
  • Oversight responsibilities 監(jiān)管的責(zé)任
  • Importance of clear (written) rules 明確(書面)規(guī)則的重要性
• Transfer of personal information outside China
  • Ensure compliance with data localization rules 確保符合數(shù)據(jù)本地化規(guī)則
  • Necessity: not just convenience or cost-saving 必要性:不僅僅是方便或節(jié)省成本
  • Informed Consent 知情同意
  • Clear contractual agreements 明確的合同協(xié)議
    • May help with liability questions even where law recognized by PRC 可以幫助解決中國承認(rèn)的法律責(zé)任問題

9. Clear record keeping! 記錄清晰

• Information sent to customers, security procedures, actions in event of breach, audit requirements, dealing with individuals, showing followed all the rules… 發(fā)送給客戶的信息、安全程序、違規(guī)時(shí)的行動(dòng)、審計(jì)要求、與個(gè)人打交道、顯示遵守所有規(guī)則……
• Evidence Matters! 憑證事項(xiàng)

Protection of Communications Privacy in Postal Law

Postal Law of China: Article 4: 中國郵政法:第四條:

Freedom and privacy of correspondence shall be protected by law. No organization or individual shall infringe the freedom and privacy of correspondence of other persons for any reason, except when the inspection of correspondence in accordance with legal procedures by the public security organ, the State security organ or the procuratorial organ is necessary for the State’s safety or the investigation of a criminal offence.

通信自由和通信秘密受法律保護(hù)。任何組織和個(gè)人不得以任何理由侵犯他人的通信自由和通信隱私，但公安機(jī)關(guān)、國家安全機(jī)關(guān)、檢察機(jī)關(guān)因國家安全或者偵查刑事犯罪需要依照法定程序進(jìn)行通信檢查的除外。

Protection of personal information in Chinese Criminal Law

China’s Criminal Law Article 252:

中國刑法第二百五十二條:

“[t]hose infringing upon the citizen’s right of communication freedom by hiding, destroying, or *illegally *opening others’ letters, if the case is serious, are to be sentenced to one year or less in prison or put under criminal detention.”

“隱匿、銷毀或者非法拆拆他人信件，侵犯公民通信自由權(quán)利，情節(jié)嚴(yán)重的，處一年以上有期徒刑或者拘役?！?/p>

Article 284 Whoever unlawfully uses any special equipment or devices for eavesdropping or secret photographing, if the consequences are serious, shall be sentenced to fixed-term imprisonment of not more than two years, criminal detention or public surveillance.

第二百八十四條非法使用竊聽、偷拍的專用設(shè)備、器材，造成嚴(yán)重后果的，處二年以下有期徒刑、拘役或者管制。

Article 253(A) of the Criminal Law:

“where any staff member of a state organ or an entity in such a field as finance, telecommunications, transportation, education or medical treatment, in violation of the state provisions, sells or illegally provides personal information on citizens, which is obtained during the organ’s or entity’s performance of duties or provision of services, to others shall, if the circumstances are serious, be sentenced to fixed- term imprisonment not more than three years or criminal detention, and/or be fined.”

“國家機(jī)關(guān)、金融、電信、交通、教育、醫(yī)療等領(lǐng)域的工作人員違反國家規(guī)定，向他人出售或者非法提供在執(zhí)行職務(wù)或者提供服務(wù)過程中取得的公民個(gè)人信息，情節(jié)嚴(yán)重的，處三年以下有期徒刑或者拘役;或者被罰款。”

“whoever illegally obtains the aforesaid information by stealing or any other means shall, if the circumstances are serious, be punished under the preceding paragraph.”

以盜竊或者其他方法非法獲取上述信息，情節(jié)嚴(yán)重的，依照前款的規(guī)定處罰。

“where any entity commits either of the crimes as described in the preceding two paragraphs, it shall be fined, and the direct liable person in charge and other directly liable persons shall be punished under the applicable paragraph.”

有前兩款之罪的，對單位判處罰金，并對其直接負(fù)責(zé)的主管人員和其他直接責(zé)任人員，依照前款的規(guī)定處罰。

Communications Privacy in China

Article 7:Measures for Security Protection Administration of the International Networking of Computer Information Networks in the People’s Republic of China:

第七條中華人民共和國計(jì)算機(jī)信息網(wǎng)絡(luò)國際聯(lián)網(wǎng)安全保護(hù)管理辦法:

Users’ freedom of communication and communications secrecy are protected by law. No unit or individual shall use the international networking to infringe on users’ freedom of communication and communications secrecy in violation of the provisions of law.

用戶的通信自由和通信保密受法律保護(hù)。任何單位和個(gè)人不得利用國際網(wǎng)絡(luò)違反法律規(guī)定侵犯用戶的通信自由和通信保密。

Article 18 of the Implementation Rules for Provisional Regulations of the Administration of International Networking of Computer Information in the People’s Republic of China:

《中華人民共和國計(jì)算機(jī)信息國際聯(lián)網(wǎng)管理暫行條例實(shí)施細(xì)則》第十八條:

It is prohibited to infringe on the privacy of others by accessing computer systems without authorization, tampering with the information of others or sending information in the name of others.

禁止擅自進(jìn)入計(jì)算機(jī)系統(tǒng)、篡改他人信息或者以他人名義發(fā)送信息等侵犯他人隱私的行為。

Measures for the Administration of Internet E-mail Services 2006

Protects Chinese citizens privacy of correspondence in using Internet e-mail services.

保護(hù)中國公民使用互聯(lián)網(wǎng)電子郵件服務(wù)的通信隱私。

No organization or individual should infringe upon any citizens privacy of correspondence

任何組織和個(gè)人不得侵犯公民的通信隱私

Public Security Organ or Prosecutorial Organ can inspect the contents of correspondence pursuant to the procedures prescribed in law when required by national security or investigation of crimes

公安機(jī)關(guān)、檢察機(jī)關(guān)根據(jù)國家安全或者偵查犯罪的需要，可以依照法律規(guī)定的程序?qū)νㄐ艃?nèi)容進(jìn)行檢查

Obligations on Email Providers

Internet e-mail service provider obliged to keep confidential the users personal registered information and Internet e-mail addresses

互聯(lián)網(wǎng)電子郵件服務(wù)提供者有義務(wù)對用戶的個(gè)人注冊信息和互聯(lián)網(wǎng)電子郵件地址保密

Internet e-mail service provider or any of its employees should not illegally use any users personal registered information or Internet e-mail address, or should not divulge the uses personal registered information or Internet e-mail address without consent of the user.

互聯(lián)網(wǎng)電子郵件服務(wù)提供者及其工作人員不得非法使用用戶的個(gè)人注冊信息和互聯(lián)網(wǎng)電子郵件地址，未經(jīng)用戶同意，不得泄露用戶的個(gè)人注冊信息和互聯(lián)網(wǎng)電子郵件地址。

email services must comply with technical specifications established by the MII;

電子郵件服務(wù)必須符合信息產(chǎn)業(yè)部制定的技術(shù)規(guī)范;

anonymous email forwarding must be prevented by disabling open-relays;

匿名電子郵件轉(zhuǎn)發(fā)必須通過禁用開放中繼來防止;

security management is required, and remedial measures must be immediately undertaken when network security flaws are discovered;

需要進(jìn)行安全管理，發(fā)現(xiàn)網(wǎng)絡(luò)安全漏洞必須立即采取補(bǔ)救措施;

service providers must maintain copies of all emails sent and received, as well as the email addresses and IP addresses of senders/receivers for at least 60 days

服務(wù)提供商必須保存所有發(fā)送和接收的電子郵件副本，以及發(fā)件人/收件人的電子郵件地址和IP地址至少60天

• c/f European ePrivacy Directice 參閱歐洲電子隱私指令（與GDPR的相同點(diǎn)？）
  • Provisions on retention of Traffic Data 關(guān)于保留交通數(shù)據(jù)的規(guī)定

Penalties for breach 違約處罰

Fines of up to RMB 30,000 per occurrence and, in severe cases, criminal prosecution.

每次最高罰款3萬元，情節(jié)嚴(yán)重者，可提起刑事訴訟。

Reporting Obligations 報(bào)告義務(wù)

Establishment of Complaint and Handling Centre for Email Abuse

成立濫用電子郵件投訴及處理中心

Anti-Spam Provisions 反垃圾郵件的規(guī)定

Labeling Obligation 標(biāo)簽的義務(wù)

• Advertising emails must be clearly labelled ‘AD’ (or Mandarin characters) in subject line 廣告郵件必須在標(biāo)題欄注明“AD”(或中文字符)

Opt-in consent to receiving advertising email 可選擇同意接收廣告電子郵件

• Unsolicited advertising emails forbidden 禁止不請自來的廣告郵件

Prohibited Activities 禁止的行為

• Sending of email from someone else’s computer without authorisation 未經(jīng)授權(quán)從他人的電腦發(fā)送電子郵件
• Email harvesting 電子郵件獲取
• Selling, sharing or distributing harvested emails 出售、分享或分發(fā)收集到的電子郵件
• Anonymous / mislabelled emails 匿名/貼錯(cuò)標(biāo)簽的郵件

Content Restrictions 內(nèi)容限制

• Certain email content forbidden, includes: state secrets, hate speech, defamation, obscenity, pornography, gambling, violence, incitement to criminal activity. 某些郵件內(nèi)容被禁止，包括:國家機(jī)密、仇恨言論、誹謗、淫穢、色情、賭博、暴力、煽動(dòng)犯罪活動(dòng)。

Prohibitions on hacking, theft of others’ information on a network, spreading viruses, attacks on network security

禁止黑客攻擊、竊取他人網(wǎng)絡(luò)信息、傳播病毒、破壞網(wǎng)絡(luò)安全

信息允許在網(wǎng)上披露的情況

Disclosure online permissible if: 以下情況允許在網(wǎng)上披露:

• Consent in writing 書面同意
• Disclosure is necessary in the public interest 為了公眾利益，披露信息是必要的
• Educational or scientific entity makes disclosure in public interest, academic research, or statistical analysis 教育或科學(xué)單位為公共利益、學(xué)術(shù)研究或統(tǒng)計(jì)分析之披露
  • with consent in writing to publication AND 經(jīng)書面同意方可發(fā)表
  • Publication will not identify individual 出版物不會指明個(gè)人
• Information already made public, online or otherwise* 已經(jīng)公開、在線或以其他方式發(fā)布的信息
• Personal information legitimately obtained* 合法獲取的個(gè)人信息
• *Disclosure in these categories still subject to civil liability if against public interest or public morality, or publication causes harm to subject. 上述披露如違反公共利益或公共道德，或?qū)Ξ?dāng)事人造成損害，仍須承擔(dān)民事責(zé)任。

IISPs & Personal Information

核心法律：– “Several Provisions on Regulating the Market Order for Internet Information Services” 《關(guān)于規(guī)范互聯(lián)網(wǎng)信息服務(wù)市場秩序的若干規(guī)定》

Article 11：用戶對個(gè)人信息收集的同意

User consent required for: 以下需要用戶同意:

• Collection of personal data 個(gè)人資料的收集
• Disclosure to Third Party 向第三方披露
• Subject to exceptions provided for by law / administrative regulation 法律、行政法規(guī)另有規(guī)定的除外

Once consent obtained: 征得同意后:

• Clear information to user how data will be collected / processed, & what personal data collected 向用戶明確如何收集/處理數(shù)據(jù)，以及收集哪些個(gè)人數(shù)據(jù)

Collection limited: 收集的限制

• Only data necessary to provide service 僅提供服務(wù)所需的數(shù)據(jù)
• Use Restriction 使用限制

Article 12：保護(hù)信息

Website operators: duty to protect information

網(wǎng)站運(yùn)營者:保護(hù)信息的義務(wù)

Leakage must be reported to local telecommunications authority if may cause “serious consequences”

如果泄漏可能造成“嚴(yán)重后果”，必須向當(dāng)?shù)仉娦胖鞴懿块T報(bào)告。

Article 13：用戶對信息的權(quán)利，運(yùn)營商保護(hù)信息

User rights to use / modify / delete information they upload

用戶有權(quán)使用/修改/刪除他們上傳的信息

Operators may not modify or delete information without legitimate reason

無正當(dāng)理由，經(jīng)營者不得修改、刪除信息

Operators may not disclose or transfer without user consent

未經(jīng)用戶同意，運(yùn)營商不得披露或轉(zhuǎn)讓

User consent must be genuine – no deception, coercion or misleading

用戶同意必須是真實(shí)的-沒有欺騙，脅迫或誤導(dǎo)

Article 14 申訴

Complaints procedure

申訴程序

• Clear contact information for Operator on website 15 day response period 在網(wǎng)站上明確運(yùn)營商的聯(lián)系方式，15天響應(yīng)期

Articles 15-18：懲罰

Penalties 懲罰

• RMB10,000-30,000
• Telecommunication authorities empowered to make public announcement of wrongdoing 電信主管部門有權(quán)對違法行為進(jìn)行公告

Provisions on Telecommunication & Internet User Personal Information Protection 2013

Article 4 - ‘Personal information’

Information relating to individuals, collected by telcos and IISPs in course of service provision

電訊公司及互聯(lián)網(wǎng)服務(wù)供應(yīng)商在提供服務(wù)過程中所收集的個(gè)人資料

• Includes name, DOB, ID no, address, phone, account info, passwords and other info that can be used separately orwith other information to ID an individual. 包括姓名、出生日期、身份證號碼、地址、電話、賬戶信息、密碼和其他信息，這些信息可以單獨(dú)使用，也可以與其他信息一起使用，以識別個(gè)人身份。
• Includes log details 包括日志詳細(xì)信息

Article 5：收集信息合法

Collection must be legal, proportionate, necessary

收集必須是合法的、適當(dāng)?shù)?、必要?/p>

Though note other laws require retention for security purposes

盡管注意到其他法律出于安全目的要求保留

Article 9

Consent requirement

需要同意

No mention of opt in/out, BUT 2013 Guidelines suggest opt in for sensitive personal information (e.g. religious details)

沒有提到選擇加入/退出，但2013年指南建議選擇加入敏感的個(gè)人信息(例如宗教細(xì)節(jié))

Further requirements throughout for transparency

透明度的進(jìn)一步要求貫穿始終

• INFORMED consent 知情同意

Guidelines for the supervision of IT Outsourcing risks of Banking Financial Institutions (2014)

Applies to all banks & finance institutions established in PRC (A2)

適用于所有在中國境內(nèi)設(shè)立的銀行及金融機(jī)構(gòu)(A2)

Designed to regulate outsourcing (A3)

旨在規(guī)范外包(A3)

• E.g. bank hires a subsdiary company to run customer- service call centre 銀行雇傭了一家子公司來經(jīng)營客戶服務(wù)電話中心

Banks must guarantee confidentiality of “client information” (A15)

銀行必須保證“客戶資料”的機(jī)密性(A15)

Consumer Protection Law

Aims (Article 1)

Consumer protection

消費(fèi)者保護(hù)

And to promote “development of the socialist market economy”

促進(jìn)“社會主義市場經(jīng)濟(jì)的發(fā)展”

• c/f EU Digital Single Market strategy 參考?xì)W盟數(shù)字單一市場戰(zhàn)略

Scope (Article 3)

Consumer transactions

消費(fèi)者交易

• “Proprietors producing or selling goods to provide to consumers…” “生產(chǎn)或者銷售向消費(fèi)者提供的商品的經(jīng)營者……”

Mix of obligations for sellers and rights for consumers

賣方的義務(wù)和消費(fèi)者的權(quán)利混合在一起

Consumers – “right to have their personal information protected” (A14)

消費(fèi)者-“個(gè)人資料受保障的權(quán)利”(A14)

SAIC: Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers 工商總局:《侵害消費(fèi)者權(quán)益行為處罰辦法》

Article 11：消費(fèi)者個(gè)人信息的定義

List of forbidden actions re infringement of consumer privacy in personal information

禁止的行為清單是侵犯個(gè)人信息中的消費(fèi)者隱私

“Consumer personal information” = “information collected by an enterprise operator during the sale of products or provision of services, that can, singly, or in combination with other information, identify a consumer.”

“消費(fèi)者個(gè)人信息”=“企業(yè)經(jīng)營者在銷售產(chǎn)品或者提供服務(wù)過程中收集的能夠單獨(dú)或者與其他信息結(jié)合識別消費(fèi)者身份的信息”。

• Specific examples of “consumer personal information” – “name, gender, occupation, birth date, identification card number, residential address, contact information, income and financial status, health status, and consumer status”. “消費(fèi)者個(gè)人信息”的具體示例——“姓名、性別、職業(yè)、出生日期、身份證號碼、居住地址、聯(lián)系方式、收入和財(cái)務(wù)狀況、健康狀況和消費(fèi)者狀況”。

Forbidden activities (see A29):

Collection & use without consent

未經(jīng)同意收集及使用

Disclosure, sale or illegal transfer to third parties

披露、出售或非法轉(zhuǎn)讓給第三方

Commercial communications (SPAM) where either no consent or clear indication not wanted

未經(jīng)同意或明確表示不需要的商業(yè)通訊(SPAM)

Obligations (see esp. A29):

Lawfulness, rationality, necessity

合法性，合理性，必要性

Expressly state purpose, method, scope of collection & use

明確說明收集和使用的目的、方法、范圍

Consent

同意

Security (and duty to act if breach)

安全(以及違規(guī)時(shí)采取行動(dòng)的責(zé)任)

Publicise Privacy Policy

公布隱私政策

Observe additional laws and/or contractual obligations

遵守其他法律和/或合同義務(wù)

Penalties – Article 56

Warning

警告

Confiscation of illegal gains

沒收違法所得

Fine of up to 10 x illegal gain or if none, up to RMB500.000

違法所得十倍以下罰款，若沒有，五十萬元以下罰款

Closure of business for remediation or revocation of business licence

停業(yè)整頓或者吊銷營業(yè)執(zhí)照

Potential civil liabilities

潛在的民事責(zé)任

China’s eCommerce Law

Article 24: 清楚列明

ecommerce businesses must:

• Clearly state methods / procedures to facilitate individuals to: 清楚列明方法/程序，方便個(gè)人:
  • Make enquiries about what information is held about them 詢問有關(guān)他們的信息
  • Correct wrong information 糾正錯(cuò)誤信息
  • Delete user information where requested 刪除請求的用戶信息
  • De-registration of user-accounts (no unreasonable consitions to be appied) 注銷用戶賬號(不得提出不合理的條件)

Article 25：提供信息

Provide information to relevant authorities on request

應(yīng)要求向有關(guān)當(dāng)局提供信息文章來源地址http://www.zghlxwxcb.cn/news/detail-675381.html

• Criminal investigation, et cetera 刑事調(diào)查，等等

到了這里，關(guān)于【北郵國院大三下】Cybersecurity Law 網(wǎng)絡(luò)安全法 Week4的文章就介紹完了。如果您還想了解更多內(nèi)容，請?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！